Zero Trust Doesn’t Mean Zero Breaches
We occasionally get asked this question: “Would Zero Trust have prevented [insert high-profile breach]?” The breach in question could be Equifax, SolarWinds, or the United States Office of Personnel Management. We haven’t been asked (yet) about the announcement from Microsoft this month, where they acknowledged that they were a target of, and indeed had an employee compromised by, NOBELIUM, the threat actor behind the attacks against SolarWinds.
But the meta-answer to the question is always the same. When asked if Zero Trust would have stopped the breach, the correct response is:
“Zero Trust acknowledges that bad things happen to good people and prescribes techniques in place to limit the blast radius, detect the incident, and respond automatically.”
The detailed and specific answer to any particular breach depends on the actual mechanism incorporated for the initial infection and/or propagation. In the case of SolarWinds, the initial infection threat vector is unknown. Its dissemination technique, on the other hand, is as public as it is horrifying: the previously trusted software supply chain. Solorigate, another child of NOBELIUM, propagated via SolarWinds, downloading and installing Cobalt Strike on an endpoint.
A modern Zero Trust-oriented architecture doesn’t promise to prevent these attacks and render an environment immune to all attacks — despite overexuberant vendor promises to do so. Instead, the controls do the following: endpoint prevention and protection stops malicious activity; endpoint detection and response finds what slips by; microsegmentation prevents its spread; and the crack security operations center uses security automation to remediate.
The exact technical attack details aren’t available for the more recent case of NOBELIUM compromising a Microsoft support agent. What NOBELIUM did after the intrusion is perhaps most interesting. As seen before in its breach of SolarWinds and its takeover of a Constant Contact user account, NOBELIUM’s modus operandi is to exploit the brand, reputation, and trust that individuals place in organizations they work with to gain a foothold in new environments and then exploit that brand, reputation, and trust to find the next victim. And it also highlights that phishing and spear-phishing campaigns — the most pedestrian, but effective threat vector in use today — isn’t going anywhere.
Here, Microsoft was redeemed by its devotion to the least privilege access principle, long espoused by Forrester’s Zero Trust Model. That support agent (likely) only had access to customer information for the cases they were actively working on.
So, this announcement serves as a reminder of these four core elements to keep in mind with Zero Trust:
- High-profile organizations will get breached.
- Zero Trust does not make a business breach-proof.
- Zero Trust limits the damage when architected and applied correctly.
- Zero Trust inherently enables long-standing security principles like least privilege.
We wrote this blog because security pros can use the Microsoft breach as an example of how Zero Trust limits the impact of successful intrusions in a real-world incident. Internally at Forrester, we call Zero Trust our 10-year overnight success. And we think of it that way for this reason: How refreshing is it to read about a breach where the impact was severely restricted because security did not fail? The Zero Trust security principles that Microsoft adheres to — and espouses — worked.
It announced a small breach affecting a limited set of customers, and it largely went unnoticed. No need to notify hundreds of thousands of customers, stand up a separate website so individuals could check to see if they were affected, nor hire on-demand support personnel to handle the volume of incoming calls. Adhering to Zero Trust principles meant this breach was contained. Microsoft stopped the bleeding and quietly announced a rather limited intrusion.
If you want to know if Zero Trust “works,” this breach is proof it does.
If we all agree to the inevitability of breaches, this acts as a perfect example — and potential foreshadowing — of what all breach announcements in a world of Zero Trust dominance could be like.